Grav CMS - Package Updates

Package Updates

[1.8.8]

• Update grav to 1.7.50.2
• Full Changelog
• Fix for SafeUpgradeService::getLastManifest() fatal error on upgrade #​3966

Package Updates

[1.8.9]

• Update grav to 1.7.50.3
• Full Changelog
• Restored user/config/system.yaml to 1.7 branch version (testing mode off)

Package Updates

[1.8.10]

• Update grav to 1.7.50.4
• Full Changelog
• More fixes and improvements for safe-uprade process

Package Updates

[1.8.11]

• Update grav to 1.7.50.7
• Full Changelog
• Exclude dev files from exports
• Remove dev file in clean command
• Ignore .github and .phan folders during self-upgrade
• Fixed path check in self-upgrade
• Fixed an issue where non-upgradable root-level folders were snapshotted
• Added new bin/gpm preflight command
• Added --safe and --legacy overrides for bin/gpm self-upgrade command
• Improved JS assets pipeline handling to support different loading strategies
• More safe-upgrade fixes around safe guarding /user/ and maintaining permissions better
• Fixed a regex issue that corrupted safe-upgrade output

Package Updates

[1.8.12]

• Update grav to 1.7.50.8
• Full Changelog
• Removed over zealous safety checks
• Removed .gitattributes which was causing some unintended issues

Package Updates

[1.8.13]

• Update grav to 1.7.50.9
• Full Changelog
• Better error warnings regarding upgrading from 1.7 -> 1.7 vs 1.7 -> 1.8
• Fix for update-provided Install.php not used if local version called first
• Fix class loading error when trying to use bin/gpm self-upgrade --safe

Package Updates

[1.9.0]

• Update grav to 1.8.0-beta.25
• Full Changelog
• Use dev-master branch of Clockwork to support Monolog2 / Monolog3
• AVIF image support via updates to getgrav/Image library
• Upgraded to Doctrine Collection 2.2
• Fixes for PHP 8.4 - Implicitly nullable parameter declarations deprecated
• Added back Missing RocketTheme\Toolbox\Event\EventSubscriberInterface for Gantry5
• Various fixes to use $log->debug(), $log->info(), $log->warning() and $log->error() For Monolog2 support
• Fixed a PHP compatibility issue with AbstractLazyCollection
• Deferred Extension support in Forked version of Twig 3
• Added separate strict_mode.twig2_compat and strict_mode.twig3_compat toggles to manage auto-escape behaviour and automatic Twig 3 compatible template rewrites
• Fix for cache blowing up when upgrading from 1.7 to 1.8 via CLI

girish

IMPORTANT Packages starting 1.8.6 to 1.9.0 have been revoked.

1.8.6 - 1.8.13 - Upstream has removed all 1.7.50.x packages. See https://discourse.getgrav.org/t/upgrade-to-grav-v1-7-50-9-not-working/29222/4

1.9.0 - had incorrect beta version update

Package Updates

[1.9.1]

• Update grav to 1.7.52
• Full Changelog
• GPM client now sends the running PHP version with index requests so the server can substitute PHP-aware compat fallbacks when a plugin's latest release requires a newer PHP than the client can run.
• [security] Extended default uploads_dangerous_extensions to include md, yaml, yml, json, twig, ini page-content extensions that can be weaponised via permissive form-upload accept policies (GHSA-w4rc-p66m-x6qq, defense-in-depth alongside the Form 9.1.0 plugin fix).
• Added foundation for migrating to Grav 2.0: cross-major auto-upgrades are blocked in GPM, and core now surfaces a next_major hint so admin can point users at the new migrate-grav plugin
• Added compatibility: blueprint support so plugins/themes can declare which Grav versions they support
• Added self-upgrade preflight that flags incompatible plugins/themes and psr/log / Monolog conflicts before proceeding
• Added upgrade resilience with automatic maintenance mode and opcache reset during self-upgrade
• Added new cache-cleanup CLI command to prune obsolete cache entries
• Added new onFlexDirectoryConfigBeforeSave event for Flex
• More readable time output in bin/grav logviewer #4009
• Fixed selectize field losing values when keyed options were used

Package Updates

[1.9.2]

• Update grav to 1.7.53
• Full Changelog
• [security] Direct web access to the user/accounts, user/config, user/data and user/env folders is now blocked outright in every bundled webserver config, closing a hole where files such as certificates, tokens and databases stored under user/data with an unlisted extension could be downloaded directly.
• [security] A backup deny-all .htaccess now ships inside user/accounts, user/config and user/data so Apache installs stay protected even when the site root .htaccess has been customised or is out of date.
• [security] The upgrade postflight now patches an existing stock root .htaccess to add the folder block automatically, so installs that updated from an earlier version are protected without editing the file by hand.
• [security] URL query image transforms (such as image.jpg?resize=) are now turned off by default and, when enabled, refuse oversized dimensions above a configurable pixel limit, closing an unauthenticated denial of service where huge resize values could exhaust server memory.